Scope Binding in Apps

An app will have it’s set of scopes that it needs to interact with it’s backend endpoints. It would be ideal to not have more scopes on the users access token than are needed at any point in time. Is it possible to silently re-auth a user using the okta SDK to obtain different scopes? Is it possible to do this without forcing the user to log in?

Hello @Richard11,

It is possible. The 2 ways to get a new access_token is doing another authorize (relies on Okta session), or use a refresh_token.

With authorize, by default if a user does not have an active Okta session they would be presented with the Okta hosted login screen. If you don’t want this behavior and rather have the authorize fail, you can pass prompt=none. If you are using the Okta auth-js SDK, see here. Using this method allows you to request entirely different scopes if you want.

With a refresh_token, the only scopes that can be requested are either all the original scopes or a subset. You are not able to add scopes that were not part of the original authorize request which returned the access_token and refresh_token.

Thank You,